1. Forum
  2. FidoNET
  3. POLITICS

  • CISA says Oracle, Mitel

    From Mike Powell@1:2320/105 to All on Thursday, January 09, 2025 09:16:00
    CISA says Oracle and Mitel have critical security flaws being exploited

    Date:
    Wed, 08 Jan 2025 16:27:00 +0000

    Description:
    Government agency addS three new flaws to its KEV catalog, signaling in-the-wild abuse.

    FULL STORY

    The US Cybersecurity and Infrastructure Security Agency (CISA) HAS added
    three new flaws to its Exploited Vulnerabilities Catalog (KEV), signalling in-the-wild abuse, and giving federal agencies a deadline to patch things up.

    Two of the three flaws are found in Mitels MiCollab unified communications platform. One is a critical path traversal vulnerability, tracked as CVE-2024-41713.

    By abusing this bug, threat actors can run admin actions and access user and network information.

    A deadline to patch

    "A successful exploit of this vulnerability could allow an attacker to gain unauthorized access, with potential impacts to the confidentiality,
    integrity, and availability of the system. This vulnerability is exploitable without authentication," MiCollab said.

    "If the vulnerability is successfully exploited, an attacker could gain unauthenticated access to provisioning information including non-sensitive
    user and network information and perform unauthorized administrative actions
    on the MiCollab Server."

    The second bug is tracked as CVE-2024-55550, another path traversal vulnerability granting admin privileges. The impact of this bug is limited, however, since it doesnt allow threat actors to escalate privileges, or
    access files with sensitive information. Therefore, the severity of this bug was assigned to medium - 4.4/10.

    The third bug is found in Oracle WebLogic Server, and is tracked as CVE-2020-2883. It was patched in April 2020, and grants threat actors the ability to remotely access vulnerable endpoints.

    Now, with all three vulnerabilities being added to KEV, federal agencies have until January 28 to apply the fixes, or stop using the products altogether.
    8. "These types of vulnerabilities are frequent attack vectors for malicious cyber actors and pose significant risks to the federal enterprise," CISA
    said.

    Mitels MiCollab is a popular unified communications platform, and as such - a major target for cybercriminals. In early December this year, the company patched a three-month-old zero-day vulnerability that allowed crooks to read sensitive files.

    Via BleepingComputer

    ======================================================================
    Link to news story: https://www.techradar.com/pro/security/cisa-says-oracle-and-mitel-have-critica l-security-flaws-being-exploited

    $$
    --- SBBSecho 3.20-Linux
    * Origin: capitolcityonline.net * Telnet/SSH:2022/HTTP (1:2320/105)